September 10, 2019
The California Consumer Privacy Act of 2018 (CCPA) is a sweeping departure from existing privacy laws in the United States. The CCPA substantially changes the ways in which companies collect, share*, store, and otherwise use consumer information. One way in which the CCPA applies to companies is when the company “sells” consumer information. The CCPA is very broad in its definition of what constitutes “selling,” which it defines as:
selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
The definition of a “sale” under the CCPA is very broad, essentially including every conceivable method or structure of transferring consumer information. Such transfers, however, must be in exchange for money or other “valuable consideration.” While valuable consideration is not defined in the CCPA, the law does give the California Attorney General the ability to provide guidelines to further the CCPA’s purpose, which could include further defining “valuable consideration.” Until such time, there is uncertainty as to what would constitute consideration under the CCPA, and it is likely that this provision could be interpreted using the definition of “consideration” drawn from California contract law. Under California contract law, consideration is defined as:
“[a]ny benefit conferred, or agreed to be conferred, upon the promisor, by any other person, to which the promisor is not lawfully entitled, or any prejudice suffered, or agreed to be suffered, by such person, other than such as he is at the time of consent lawfully bound to suffer, as an inducement to the promisor, is a good consideration for a promise.” Cal. Civ. Code § 1605.
Operating under the that definition of consideration, any transfer of consumer information by one entity to another entity would be considered a sale under the CCPA if the transferring entity receives any benefit that it would not have received absent the agreement between the parties. Using this definition of consideration would mean that most transfers of consumer information would constitute a “sale” under the CCPA. Even if the only benefit were the information itself, information, as we all know, carries value and is a benefit.
Even with this broad definition of a “sale” under the CCPA, the law provides four exclusions that would allow companies to share consumer information without it constituting a “sale.”
1. Consumer Intends for Business to Disclose
First, the CCPA does not consider it a “sale” when the transfer of consumer information is done as a result of a consumer either “direct[ing] the business to intentionally disclose personal information or us[ing] the business to intentionally interact with a third party, provided the third party does not also sell the personal information.” This type of interaction must be intentional, meaning that the consumer intends to interact with the third party through deliberate actions. Passive actions are insufficient to establish the requisite intent to qualify for this exclusion.
This exclusion could likely come into play in the context of a consumer purchasing a product online from a merchant, like eBay, and using a payment service such as PayPal in order to pay for the purchase. In this context, the consumer would require eBay to share consumer information with PayPal for the purposes of securing payment for the purchase. Assuming PayPal does not subsequently sell the consumer information, this transfer of consumer information would likely not constitute a sale under the CCPA because the sharing of the consumer information is a result of the consumer causing eBay to interact with PayPal.
2. Informing Third Parties of Consumer Opt Out
The second exclusion under the CCPA is when a business shares an identifier with a third party in order for the business to inform the third party about the consumer’s choice to opt-out of the sale of their personal information. This exclusion is likely going to be used more frequently after the CCPA takes effect on January 1, 2020, as consumers begin to exercise their new rights to opt-out of the sharing of their information under the CCPA.
An example of such a transaction that would qualify for this example could involve a consumer opting out of their information being collected for the purposes of advertising. For example, Facebook may be collecting personal information and selling it to other parties for the use of advertising. A California consumer decides that she no longer want her information being sold and informs Facebook of that decision. Facebook would then notify the third parties of the consumer’s decision to opt-out using an identifier that would be sufficient to enable the third parties to identify the consumer information that can no longer be used. This process of informing third parties not to sell information would not itself constitute a “sale” under the CCPA.
3. Sharing with Service Providers
The third exclusion from a sale under the CCPA involves the sharing of consumer information with a service provider so that the service provider can provide services on the business’s behalf. In order for a transaction to qualify for this exclusion under the CCPA, three requirements must be met: (1) there is a service provider providing a service on the covered business’s behalf; (2) the service provider does not sell the personal information; (3) the covered business utilizing the service provider provides proper notice to the consumer regarding the information sharing in its terms and conditions; and (4) the service provider does not collect, sell, or otherwise use the consumer information except for those uses necessary to provide the contracted-for service.
This exclusion may arise in the context of fraud detection and prevention. For example, an online merchant may use a service provider to verify consumer information in order to cut down on the number of fraudulent transactions occurring on the merchant’s website. This may be done by sharing the consumer’s information with the service provider in order to verify the identity of the purchaser. In this case, the sharing of the information would not be considered a “sale” under the CCPA so long as assuming the service provider follows the above requirements and is engaged to provide the service via a contract that sets out the restrictions on using the data for anything other than the contracted-for purposes.
4. Purchasing Consumer Information as an Asset of a Business
The fourth “sale” exclusion under the CCPA occurs when consumer information is sold “as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business provided that information is used or shared consistently with [the CCPA].” In the event of such a transaction, the transfer of the information to the new owner is not considered a sale. However, the new owner will have to meet CCPA requirements regarding any changes it wishes to make to privacy policies that are inconsistent with the what was in place at the time the personal information was collected and ensure that consumers remain apprised of their CCPA rights.
This exclusion is likely to be used frequently in the technology and start-up space as companies that collect consumer information are purchased or merged with other companies. For example, a new social media company launches an application that collects consumer information. In the privacy policy for the new application the company discloses that it will not sell or share consumer information for any purpose. Google, wanting to expand its portfolio and wanting to have access to the consumer information that the new application contains, purchases the smaller social media company in an effort to monetize the consumer information. Upon completing the purchase, Google creates a notification for users of the application that displays when they login informing them of Google’s changes to the privacy policy. This notification informs the users that Google intends to use their personal information for monetary purposes and it also informs the consumer how they can opt-out. Because Google purchased the consumer information as an asset, notified the consumers about the material change to the privacy policy, and did not retroactively change the privacy policy, it has met the requirements for the exemption and also fulfilled the additional CCPA requirements for notice.
Conclusion
The definition of a “sale” under the CCPA is broad. With uncertainty as to what would constitute “valuable consideration” under the law, businesses should be prepared to embrace the broad, contract law definition of the term and should assume that their transactions are likely to be considered a “sale” under the CCPA unless one of the four exclusions apply. As such, businesses should evaluate the purposes for which they are providing consumer information to other parties and identify whether one of the exclusions applies. If the exceptions do not apply, businesses should prepare to meet all of the notice and attendant requirements connected with the sale of information under the CCPA.
DISCLAIMER: This publication has been prepared by SixFifty, LLC to provide information of interest to our readers regarding the California Consumer Privacy Act. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. SixFifty, LLC does not provide legal advice.
* Note added 7/28/22: The CPRA now also defines “share” to refer to targeted advertising.